本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 查询示例
本节包含可在[CloudWatch控制台](https://console.aws.amazon.com/cloudwatch/)中运行的一般和有用的查询命令列表。有关如何运行查询命令的信息,请参阅 *Amazon L CloudWatch ogs 用户指南*中的[教程:运行和修改示例查询](https://docs.aws.amazon.com/en_us/AmazonCloudWatch/latest/logs/CWL_AnalyzeLogData_RunSampleQuery.html)。
有关查询语法的更多信息,请参阅 [CloudWatch 日志见解语言查询语法](CWL_QuerySyntax.md)。
**Topics**
+ [常规查询](#CWL_QuerySyntax-examples-general)
+ [Lambda 日志的查询](#CWL_QuerySyntax-examples-Lambda)
+ [Amazon VPC 流日志的查询](#CWL_QuerySyntax-examples-VPC)
+ [Route 53 日志的查询](#CWL_QuerySyntax-examples-Route53)
+ [查询日 CloudTrail 志](#CWL_QuerySyntax-examples-CloudTrail)
+ [查询 Amazon API Gateway](#CWL_QuerySyntax-examples-APIGateway)
+ [NAT 网关的查询](#CWL_QuerySyntax-examples-NATGateway)
+ [查询 Apache 服务器日志](#CWL_QuerySyntax-examples-Apache)
+ [针对亚马逊的查询 EventBridge](#CWL_QuerySyntax-examples-EventBridge)
+ [解析命令的示例](#CWL_QuerySyntax-examples-parse)
## 常规查询
**查找 25 个最近添加的日志事件。**
```
fields @timestamp, @message | sort @timestamp desc | limit 25
```
**获取每小时异常数量的列表。**
```
filter @message like /Exception/
| stats count(*) as exceptionCount by bin(1h)
| sort exceptionCount desc
```
**获取非异常的日志事件的列表。**
```
fields @message | filter @message not like /Exception/
```
**获取 `server` 字段每个唯一值的最新日志事件。**
```
fields @timestamp, server, severity, message
| sort @timestamp asc
| dedup server
```
**针对每个 `severity` 类型获取 `server` 字段每个唯一值的最新日志事件。**
```
fields @timestamp, server, severity, message
| sort @timestamp desc
| dedup server, severity
```
## Lambda 日志的查询
**确定超额配置的内存量。**
```
filter @type = "REPORT"
| stats max(@memorySize / 1000 / 1000) as provisonedMemoryMB,
min(@maxMemoryUsed / 1000 / 1000) as smallestMemoryRequestMB,
avg(@maxMemoryUsed / 1000 / 1000) as avgMemoryUsedMB,
max(@maxMemoryUsed / 1000 / 1000) as maxMemoryUsedMB,
provisonedMemoryMB - maxMemoryUsedMB as overProvisionedMB
```
**创建延迟报告。**
```
filter @type = "REPORT" |
stats avg(@duration), max(@duration), min(@duration) by bin(5m)
```
**搜索慢速函数调用,并消除可能因重试或客户端代码而产生的重复请求。在此查询中,`@duration` 以毫秒为单位。**
```
fields @timestamp, @requestId, @message, @logStream
| filter @type = "REPORT" and @duration > 1000
| sort @timestamp desc
| dedup @requestId
| limit 20
```
## Amazon VPC 流日志的查询
**查找跨主机的前 15 个数据包传输:**
```
stats sum(packets) as packetsTransferred by srcAddr, dstAddr
| sort packetsTransferred desc
| limit 15
```
**查找给定子网上传输字节数最多的 15 个主机。**
```
filter isIpv4InSubnet(srcAddr, "192.0.2.0/24")
| stats sum(bytes) as bytesTransferred by dstAddr
| sort bytesTransferred desc
| limit 15
```
**查找使用 UDP 作为数据传输协议的 IP 地址。**
```
filter protocol=17 | stats count(*) by srcAddr
```
**在捕获时段内查找跳过流记录的 IP 地址。**
```
filter logStatus="SKIPDATA"
| stats count(*) by bin(1h) as t
| sort t
```
**为每个连接查找一条记录,以帮助解决网络连接问题。**
```
fields @timestamp, srcAddr, dstAddr, srcPort, dstPort, protocol, bytes
| filter logStream = 'vpc-flow-logs' and interfaceId = 'eni-0123456789abcdef0'
| sort @timestamp desc
| dedup srcAddr, dstAddr, srcPort, dstPort, protocol
| limit 20
```
## Route 53 日志的查询
**查找每小时每种查询类型的记录分布。**
```
stats count(*) by queryType, bin(1h)
```
**查找具有最高请求数的 10 个 DNS 解析程序。**
```
stats count(*) as numRequests by resolverIp
| sort numRequests desc
| limit 10
```
**按服务器未能完成 DNS 请求的域和子域查找记录数。**
```
filter responseCode="SERVFAIL" | stats count(*) by queryName
```
## 查询日 CloudTrail 志
**查找每项服务的日志条目数、事件类型和 AWS 区域。**
```
stats count(*) by eventSource, eventName, awsRegion
```
**查找在给定 AWS 区域中启动或停止的 Amazon EC2 主机。**
```
filter (eventName="StartInstances" or eventName="StopInstances") and awsRegion="us-east-2"
```
**查找 AWS 区域、用户名和 ARNs 新创建的 IAM 用户。**
```
filter eventName="CreateUser"
| fields awsRegion, requestParameters.userName, responseElements.user.arn
```
**查找在调用 API `UpdateTrail` 时发生异常的记录数。**
```
filter eventName="UpdateTrail" and ispresent(errorCode)
| stats count(*) by errorCode, errorMessage
```
**查找使用 TLS 1.0 或 1.1 的日志条目**
```
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by userIdentity.accountId, recipientAccountId, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent
| sort eventSource, eventName, awsRegion, tlsDetails.tlsVersion
```
**查找使用 TLS 1.0 或 1.1 的服务调用数**
```
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by eventSource
| sort numOutdatedTlsCalls desc
```
## 查询 Amazon API Gateway
查找最近 10 个 4XX 错误
```
fields @timestamp, status, ip, path, httpMethod
| filter status>=400 and status<=499
| sort @timestamp desc
| limit 10
```
确定 Amazon API Gateway 访问日志组中运行时间最长的 10 个 Amazon API Gateway 请求
```
fields @timestamp, status, ip, path, httpMethod, responseLatency
| sort responseLatency desc
| limit 10
```
返回 Amazon API Gateway 访问日志组中最受欢迎的 API 路径列表
```
stats count(*) as requestCount by path
| sort requestCount desc
| limit 10
```
为 Amazon API Gateway 访问日志组创建集成延迟报告
```
filter status=200
| stats avg(integrationLatency), max(integrationLatency),
min(integrationLatency) by bin(1m)
```
## NAT 网关的查询
如果您发现 AWS 账单中的费用高于正常水平,则可以使用 L CloudWatch ogs Insights 来查找排名靠前的贡献者。有关以下查询命令的更多信息,请参阅[如何在 VPC 中找到通过 NAT 网关的流量的最大贡献者?](https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/) 在 AWS 高级支持页面上。
**注意**
在以下查询命令中,将 "x.x.x.x" 替换为 NAT 网关的私有 IP,然后用 VPC CIDR 范围的前两个八位字节替换 "y.y"。
**查找通过 NAT 网关发送流量最多的实例。**
```
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
**确定 NAT 网关中进出实例的流量。**
```
filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') or (srcAddr like 'xxx.xx.xx.xx' and dstAddr like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
**确定 VPC 中实例最常与之进行上传和下载的互联网目标。**
*****对于上载*****
```
filter (srcAddr like 'x.x.x.x' and dstAddr not like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
*****对于下载*****
```
filter (dstAddr like 'x.x.x.x' and srcAddr not like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
```
## 查询 Apache 服务器日志
您可以使用 CloudWatch Logs Insights 查询 Apache 服务器日志。有关以下查询的更多信息,请参阅 AWS 云运营[与迁移博客上的使用 CloudWatch 日志见解简化 Apache 服务器](https://aws.amazon.com/blogs/mt/simplifying-apache-server-logs-with-amazon-cloudwatch-logs-insights/)日志。
**找到最相关的字段,以便您可以在应用程序的 */admin* 路径中审阅访问日志并查看流量。**
```
fields @timestamp, remoteIP, request, status, filename| sort @timestamp desc
| filter filename="/var/www/html/admin"
| limit 20
```
**使用状态代码“200”(成功)查找访问主页的唯一 GET 请求数量。**
```
fields @timestamp, remoteIP, method, status
| filter status="200" and referrer= http://34.250.27.141/ and method= "GET"
| stats count_distinct(remoteIP) as UniqueVisits
| limit 10
```
**查找 Apache 服务重新启动的次数。**
```
fields @timestamp, function, process, message
| filter message like "resuming normal operations"
| sort @timestamp desc
| limit 20
```
## 针对亚马逊的查询 EventBridge
获取按 EventBridge 事件详情类型分组的事件数量
```
fields @timestamp, @message
| stats count(*) as numberOfEvents by `detail-type`
| sort numberOfEvents desc
```
## 解析命令的示例
**使用 glob 表达式来从日志字段 `@message` 提取字段 `@user`、`@method` 和 `@latency`,并对于 `@method` 和 `@user` 的每个唯一组合返回平均延迟。**
```
parse @message "user=*, method:*, latency := *" as @user,
@method, @latency | stats avg(@latency) by @method,
@user
```
**使用正则表达式从日志字段 `@message` 提取字段 `@user2`、`@method2` 和 `@latency2`,并对于 `@method2` 和 `@user2` 的每个唯一组合返回平均延迟。**
```
parse @message /user=(?.*?), method:(?.*?),
latency := (?.*?)/ | stats avg(latency2) by @method2,
@user2
```
**提取字段 `loggingTime`、`loggingType` 和 `loggingMessage`,筛选出包含 `ERROR` 或 `INFO` 字符串的日志事件,然后仅显示包含 `ERROR` 字符串的事件的 `loggingMessage` 和 `loggingType` 字段。**
```
FIELDS @message
| PARSE @message "* [*] *" as loggingTime, loggingType, loggingMessage
| FILTER loggingType IN ["ERROR", "INFO"]
| DISPLAY loggingMessage, loggingType = "ERROR" as isError
```